Control whether WP Ghost applies custom paths only to visitors or also to logged-in users. By default, WP Ghost changes paths only on the frontend for non-logged-in visitors and bots. That’s the safest approach – it protects your site from scanners while keeping full compatibility with page builders, admin tools, and plugins. But if you run a WooCommerce store, membership site, or any site where logged-in users browse the frontend, you may want those users to see custom paths too. This toggle controls that behavior.
When WP Ghost is active, it replaces default WordPress paths (/wp-content/, /wp-includes/, plugin and theme names) with your custom paths. The Change Paths for Logged Users option determines who sees those custom paths: only non-logged-in visitors (the default), or all users including those who are logged in.
With this option disabled (default): visitors and bots see custom paths on the frontend. Logged-in users (admins, editors, authors, subscribers, WooCommerce customers) see the original WordPress paths when they browse the frontend. The admin dashboard always uses original paths.
With this option enabled: everyone sees custom paths on the frontend – visitors, bots, and logged-in users alike. The admin dashboard still uses original paths unless you specifically use the WP Ghost Admin Mapping extension.
This is a compatibility decision, not a security one. Both settings protect your site from bots and scanners. The question is whether logged-in users should also see custom paths – and whether your plugins can handle that. Here’s the guidance for your hack prevention strategy:
Keep it disabled (default) if you use page builders. Elementor, Divi, WPBakery, Beaver Builder, and similar visual editors rely on default WordPress file paths during editing and preview. Changing paths for logged-in users can break their live preview, drag-and-drop editing, and template rendering. If you use any page builder, the safest approach is to leave this option off. Your site is still fully protected – bots and visitors see custom paths. Only you (while logged in and editing) see the originals.
Enable it for WooCommerce and membership sites. On an e-commerce site, logged-in customers browse the frontend – viewing products, adding items to cart, checking their account page. If paths are only changed for non-logged-in users, a logged-in customer who views the page source can see default /wp-content/ and /wp-includes/ paths. For most sites this doesn’t matter, but if you want maximum CMS concealment from all users (including authenticated ones), enable this option. WP Ghost is fully compatible with WooCommerce with this option enabled.
Enable it when you have no page builder conflicts. If your site doesn’t use visual page builders and all plugins work correctly with custom paths, there’s no downside to enabling this. It ensures that every frontend request – regardless of authentication status – uses custom paths consistently.
About the admin dashboard: Neither setting changes paths inside the WordPress admin dashboard. The dashboard always uses original WordPress paths. If you specifically need to change paths within the admin area (advanced use case for high-security membership sites), WP Ghost offers a separate Admin Mapping extension for that purpose. This is not recommended for most sites.
After saving, log out and log back in to see the change take effect. Then browse your site’s frontend as a logged-in user and check the page source to confirm custom paths are appearing.
Almost always a caching issue. When you disable the option, cached pages may still serve the old custom paths to logged-in users. Clear your WordPress caching plugin, CDN cache (Cloudflare, BunnyCDN, etc.), and server cache. Then do a hard refresh in your browser. If your caching plugin serves different cached versions for logged-in vs logged-out users, make sure it regenerates the logged-in cache after the change.
This is the most common issue. Page builders like Elementor, Divi, and WPBakery expect default WordPress file paths during editing. If you enable path changes for logged users and your page builder breaks (editor won’t load, preview fails, drag-and-drop stops working), disable this option. Your site is still protected – bots always see custom paths. Only the logged-in editing experience uses original paths.
If you’ve lost access or something broke, check the emergency disable guide, use the rollback settings, or add a constant in wp-config.php to disable WP Ghost temporarily.
Yes. With this option disabled, all non-logged-in visitors and bots see custom paths. Since bots and automated scanners are never logged in, they always encounter custom paths. The only people who see original paths are logged-in users browsing the frontend – and those are people you’ve already authenticated.
It depends on your security requirements. If you want logged-in customers to also see custom paths when they browse your store, enable it. If you’re primarily concerned with bot protection and don’t mind authenticated customers seeing default paths in the page source, leave it disabled. WooCommerce works correctly in both states.
Elementor, Divi Builder, WPBakery Page Builder, Beaver Builder, and Brizy are the most common ones affected. They rely on default WordPress file paths for their live editing and preview functionality. If you use any visual page builder, test with this option enabled before committing to it. If the editor breaks, disable it – your security is unaffected.
No. The WordPress admin dashboard always uses original paths regardless of this setting. If you need to change paths within the admin area (a rare, advanced use case), WP Ghost offers a separate Admin Mapping extension. This is not recommended for most sites due to potential compatibility issues.
No. All path changes are handled through URL rewrite rules and WordPress filters at runtime. No files are modified, moved, or renamed. Disabling the option or deactivating WP Ghost restores default behavior instantly.
Related path-changing and compatibility guides:
Replace the default wp_ database prefix with a random one to protect against SQL injection…
Change the WordPress uploads directory path with WP Ghost (rewrite rules, no files moved) or…
Configure WP Ghost with WP Rocket cache. Enable file optimization, Change Paths in Cache Files.…
https://youtu.be/6ylhojSi-_E In this video, we’ll explore why website security matters and what can happen if…
The security of your WordPress site depends on multiple factors, such as the strength of…
Step-by-step guides to connect WP Ghost 2FA with Google Authenticator, Authy, Microsoft Authenticator, or LastPass.…